VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rx33-aa4d-mudk

Essentials
Severities (31)
References (14)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rx33-aa4d-mudk
Aliases	CVE-2025-64345 GHSA-hc7m-r6v8-hg9q
Summary	Wasmtime is a runtime for WebAssembly. Prior to version 38.0.4, 37.0.3, 36.0.3, and 24.0.5, Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which provides safe access to the host (Rust) to the contents of the linear memory. This is not sound for shared linear memories, which could be modified in parallel, and this could lead to a data race in the host. Patch releases have been issued for all supported versions of Wasmtime, notably: 24.0.5, 36.0.3, 37.0.3, and 38.0.4. These releases reject creation of shared memories via `Memory::new` and shared memories are now excluded from core dumps. As a workaround, eembeddings affected by this issue should use `SharedMemory::new` instead of `Memory::new` to create shared memories. Affected embeddings should also disable core dumps if they are unable to upgrade. Note that core dumps are disabled by default but the wasm threads proposal (and shared memory) is enabled by default.
Status	Published
Exploitability	0.5
Weighted Severity	2.7
Risk	1.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

System	Score	Found at
cvssv3	1.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64345.json
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-64345
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-64345
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-64345
epss	0.00013	https://api.first.org/data/v1/epss?cve=CVE-2025-64345
cvssv3.1	1.8	https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
generic_textual	LOW	https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
ssvc	Track	https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
cvssv3.1	1.8	https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
generic_textual	LOW	https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
ssvc	Track	https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
cvssv3.1	1.8	https://docs.wasmtime.dev/stability-release.html
generic_textual	LOW	https://docs.wasmtime.dev/stability-release.html
ssvc	Track	https://docs.wasmtime.dev/stability-release.html
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-hc7m-r6v8-hg9q
cvssv3.1	1.8	https://github.com/bytecodealliance/wasmtime
generic_textual	LOW	https://github.com/bytecodealliance/wasmtime
cvssv3.1	1.8	https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
generic_textual	LOW	https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
ssvc	Track	https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
cvssv3.1	1.8	https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
generic_textual	LOW	https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
ssvc	Track	https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4
cvssv3.1	1.8	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
cvssv3.1_qr	LOW	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
generic_textual	LOW	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
ssvc	Track	https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
cvssv3.1	1.8	https://nvd.nist.gov/vuln/detail/CVE-2025-64345
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2025-64345
cvssv3.1	1.8	https://rustsec.org/advisories/RUSTSEC-2025-0118.html
generic_textual	LOW	https://rustsec.org/advisories/RUSTSEC-2025-0118.html

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64345.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-64345
		https://github.com/bytecodealliance/wasmtime
		https://rustsec.org/advisories/RUSTSEC-2025-0118.html
1120699		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1120699
2414696		https://bugzilla.redhat.com/show_bug.cgi?id=2414696
9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10		https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10
CVE-2025-64345		https://nvd.nist.gov/vuln/detail/CVE-2025-64345
GHSA-hc7m-r6v8-hg9q		https://github.com/advisories/GHSA-hc7m-r6v8-hg9q
GHSA-hc7m-r6v8-hg9q		https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q
stability-release.html		https://docs.wasmtime.dev/stability-release.html
struct.Memory.html#method.new		https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new
struct.SharedMemory.html#method.new		https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new
v38.0.4		https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64345.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://docs.rs/wasmtime/latest/wasmtime/struct.Memory.html#method.new

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://docs.rs/wasmtime/latest/wasmtime/struct.SharedMemory.html#method.new

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://docs.wasmtime.dev/stability-release.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://docs.wasmtime.dev/stability-release.html

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/bytecodealliance/wasmtime

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://github.com/bytecodealliance/wasmtime/commit/9ebb6934f00d58b92fb68ed0e0b16c0ae828ca10

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://github.com/bytecodealliance/wasmtime/releases/tag/v38.0.4

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-12T21:40:25Z/ Found at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hc7m-r6v8-hg9q

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-64345

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N Found at https://rustsec.org/advisories/RUSTSEC-2025-0118.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.02251
EPSS Score	0.00013
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:57:29.150933+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/64xxx/CVE-2025-64345.json	38.6.0